CVE-2023-38710 - OpenCVE

An issue was discovered in Libreswan before 4.12. When an IKEv2 Child SA REKEY packet contains an invalid IPsec protocol ID number of 0 or 1, an error notify INVALID_SPI is sent back. The notify payload's protocol ID is copied from the incoming packet, but the code that verifies outgoing packets fails an assertion that the protocol ID must be ESP (2) or AH(3) and causes the pluto daemon to crash and restart. NOTE: the earliest affected version is 3.20.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Libreswan	Libreswan
Redhat	Enterprise Linux

Configuration 1 [-]

cpe:2.3:a:libreswan:libreswan:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
libreswan-0:4.12-2.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2023:7052	2023-11-14T00:00:00Z
Red Hat Enterprise Linux 9
libreswan-0:4.12-1.el9	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:6549	2023-11-07T00:00:00Z

References

Link	Providers
https://github.com/libreswan/libreswan/releases/tag/v4.12
https://github.com/libreswan/libreswan/tags
https://libreswan.org/security/CVE-2023-38710/
https://libreswan.org/security/CVE-2023-38710/CVE-2023-38710.txt
https://nvd.nist.gov/vuln/detail/CVE-2023-38710
https://www.cve.org/CVERecord?id=CVE-2023-38710

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-08-25T00:00:00

Updated: 2024-08-02T17:46:56.611Z

Reserved: 2023-07-24T00:00:00

Link: CVE-2023-38710

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-08-25T21:15:08.167

Modified: 2023-12-11T19:34:38.997

Link: CVE-2023-38710

Redhat

Severity : Moderate

Publid Date: 2023-08-08T00:00:00Z

Links: CVE-2023-38710 - Bugzilla

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libreswan:libreswan:*:*:*:*:*:*:*:*", "matchCriteriaId": "6FD4136B-12B7-4FCA-B643-47F5FEA652EA", "versionEndExcluding": "4.12", "versionStartIncluding": "3.20", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Libreswan before 4.12. When an IKEv2 Child SA REKEY packet contains an invalid IPsec protocol ID number of 0 or 1, an error notify INVALID_SPI is sent back. The notify payload's protocol ID is copied from the incoming packet, but the code that verifies outgoing packets fails an assertion that the protocol ID must be ESP (2) or AH(3) and causes the pluto daemon to crash and restart. NOTE: the earliest affected version is 3.20."}, {"lang": "es", "value": "Se ha descubierto un problema en Libreswan anterior a 4.12. Cuando un paquete IKEv2 Child SA REKEY contiene un n\u00famero de ID de protocolo IPsec no v\u00e1lido de 0 o 1, se devuelve una notificaci\u00f3n de error INVALID_SPI. El ID de protocolo de la carga \u00fatil de la notificaci\u00f3n se copia del paquete entrante, pero el c\u00f3digo que verifica los paquetes salientes falla en la afirmaci\u00f3n de que el ID de protocolo debe ser ESP (2) o AH(3) y hace que el demonio pluto se bloquee y reinicie. NOTA: la primera versi\u00f3n afectada es la 3.20.\n"}], "id": "CVE-2023-38710", "lastModified": "2023-12-11T19:34:38.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-25T21:15:08.167", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/libreswan/libreswan/tags"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://libreswan.org/security/CVE-2023-38710/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank X1AOxiang for reporting this issue.", "affected_release": [{"advisory": "RHSA-2023:7052", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "libreswan-0:4.12-2.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-11-14T00:00:00Z"}, {"advisory": "RHSA-2023:6549", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "libreswan-0:4.12-1.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-11-07T00:00:00Z"}], "bugzilla": {"description": "libreswan: Invalid IKEv2 REKEY proposal causes restart", "id": "2225368", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2225368"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-617", "details": ["An issue was discovered in Libreswan before 4.12. When an IKEv2 Child SA REKEY packet contains an invalid IPsec protocol ID number of 0 or 1, an error notify INVALID_SPI is sent back. The notify payload's protocol ID is copied from the incoming packet, but the code that verifies outgoing packets fails an assertion that the protocol ID must be ESP (2) or AH(3) and causes the pluto daemon to crash and restart. NOTE: the earliest affected version is 3.20.", "An assertion failure flaw was found in the Libreswan package that occurs when processing IKEv2 REKEY requests. When an IKEv2 Child SA REKEY packet contains an invalid IPsec protocol ID number of 0 or 1, an error notification INVALID_SPI is sent back. The notify payload's protocol ID is copied from the incoming packet, but the code that verifies outgoing packets fails an assertion that the protocol ID must be ESP (2) or AH(3). This flaw allows a malicious client or attacker to send a malformed IKEv2 REKEY packet, causing a crash and restarting the libreswan pluto daemon. When sent continuously, this could lead to a denial of service attack."], "name": "CVE-2023-38710", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "libreswan", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "libreswan", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2023-08-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-38710\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-38710\nhttps://github.com/libreswan/libreswan/releases/tag/v4.12\nhttps://libreswan.org/security/CVE-2023-38710/CVE-2023-38710.txt"], "statement": "IKEv2 REKEY requests are only processed when received from authenticated peers, limiting the scope of possible attackers to peers who have successfully authenticated.", "threat_severity": "Moderate", "upstream_fix": "libreswan 4.12"}